- A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Reflexive Access-Lists posted 03/11/2004
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]

The whole idea of Reflaxive List is to allow the packets originated behind the
originator device.

For example,

If I am required to allow only telnet packets from the outside network to one
of my routers behind the Internet router.

ISP router ----------------------------------(S0) (My Internet router)
(E0)--------------------------------(E0) (My Edge router) (E1)------Local LAN
where telnet server resides at  I could do this:

IP access-list extended INBOUND
permit tcp any any reflect REFLEXIVE

IP access-list extended OUTBOUND
permit tcp any host eq Telnet------------->  This is per
Documentation, but I don't seem to agree with that.  To me, it should be like
  "permit tcp host eq telnet any".  The reason is because when a
host at ISP originates
   a request  with the host being the SOURCE and telnet server being the
DESTINATION and when the server
   replies back to the request coming from the host it then becomes the SOURCE
and host becomes the
   That is the basic rule I learned when started configuring access-list, but
why we wouldn't apply the same
   logic for reflexive access-list.  I know I am wrong but needs some
evaluate REFLEXIVE

int e0
ip access-group INBOUND in
ip access-group OUTBOUND out